Reputation: 21
Removing just one inherit permission using PowerShell
I'm trying to write a script that can remove access rights for just one (e.g. Everyone) on folders that have inherited permissions in place.
The other inherit permissions should stay intact. I can remove the inherit permissions and then remove access for that group, but inheritance is then broken. I don't want to enable inheritance after this action because of subfolders having no inheritance being broken.
How do I just remove this group without messing with the rest of the permissions?
Upvotes: 1
Views: 4824
Answers (3)
Reputation: 73
Actually you don't have to delete inheritance.
It is possible to just remove this one little mistake. Had the same error and it was successful on a Windows 2016 Fileserver.
I modified the Script from Mathias R. Jessen a bit. If you want to do this just to one Folder, replace "$folders = Get-Childitem" with "$filepath = Get-Item" and only use the commands inside the foreach loop.
Open Powershell as Admin
$folders = Get-ChildItem "C:\Path\To\Folder" | where {$_.psiscontainer -eq $true}
foreach ($FilePath in $folders)
{
$FileACL = Get-Acl $FilePath.FullName
$EveryoneRule = $FileACL.GetAccessRules($true,$true,[System.Security.Principal.NTAccount]) | Where-Object {$_.AccessControlType -eq "Deny"}
$FileACL.RemoveAccessRule($EveryoneRule)
Set-Acl $FilePath.FullName -AclObject $FileACL
}
Upvotes: 0
Reputation: 1
To remove groups or users ACE without disabling inheritance, use CACLS folder /E /R group/user. I know that CACLS is deprecated but I have not found any equivalent when using iCacls or SETACL.
Upvotes: 0
Reputation: 174485
You cannot (by design) remove an inherited permission, "without messing with the rest of the permissions".
What you can do is
- Disallow inheritance, but preserve already inherited rules
- Remove/modify the
EVERYONEACE after removing inheritance
Like this:
$FilePath = "C:\parentFolder\childItem.ext"
$FileACL = Get-Acl $FilePath
# Remove inheritance but preserve existing entries
$FileACL.SetAccessRuleProtection($true,$true)
Set-Acl $FilePath -AclObject $FileACL
# Retrieve new explicit set of permissions
$FileACL = Get-Acl $FilePath
# Retrieve "everyone" rule
$EveryoneRule = $FileACL.GetAccessRules($true,$true,[System.Security.Principal.NTAccount]) | Where-Object {$_.IdentityReference -eq [System.Security.Principal.NTAccount]"EVERYONE"}
# Remove it - or modify it and use SetAccessRule() instead
$FileACL.RemoveAccessRule($EveryoneRule)
# Set ACL on file again
Set-Acl $FilePath -AclObject $FileACL
Upvotes: 8
Related Questions
- Setting Inheritance and Propagation flags with set-acl and powershell
- how to "replace all child object permission entries with inheritable permission entries from this object" using PowerShell for ACL folder access
- Replacing ACL with Inheritance using PowerShell
- Error when attempting to copy inherited permissions
- PowerShell Inheritance False
- Powershell get Folder permissions without inheritance
- Remove inherited Access rules from folder/file trough powershell
- How can I remove a single user ACL from a large set of folders?
- ACL rights, multiple inheritance from string value
- can't remove permissions on folder with powershell